Last updated: 18th March 2026
Monkaru ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our employee shift scheduling application.
This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
We process your personal data based on the following legal grounds:
We use the collected information for the following purposes:
We may share your information in the following circumstances:
We do not sell your personal data to third parties.
We retain your data for the following periods:
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Active account data | Duration of your account | Contract (Art. 6(1)(b) GDPR) |
| Deleted items (employees, shifts, schedules, absences) | 30 days in a recoverable state, then permanently deleted | Legitimate interest (Art. 6(1)(f) GDPR) — accidental deletion recovery |
| Activity logs | 90 days (accessible in-app), then archived for up to 2 years | Legal obligation (ArbZG §16) and legitimate interest |
| Audit logs (security events) | 2 years, then permanently deleted | Legal obligation and legitimate interest |
| GDPR data requests | 5 years after completion | Legal documentation requirement |
When you delete data (such as employees, shifts, or schedule entries), it enters a 30-day recovery window. During this period, the data is hidden from normal use but can be restored by an account administrator via the Trash view. After 30 days, the data is permanently and irreversibly deleted by an automated purge process.
Activity logs are accessible in the application for 90 days. After 90 days, logs are automatically moved to a secure archive where they are retained for up to 2 years to comply with working time documentation requirements under Austrian/German labor law (ArbZG §16). Archived logs are not accessible through the application interface. After 2 years, archived logs are permanently deleted.
Important: As a user of our service, you are responsible for ensuring compliance with applicable labor law requirements, including any data retention obligations. We provide the retention mechanisms described above, but the Controller remains responsible for determining appropriate retention periods for their specific legal context.
You have the following rights regarding your personal data:
You have the right to request deletion of your personal data. Upon receiving a formal deletion request under GDPR Article 17:
Note: The 30-day soft-delete recovery window for casual in-app deletions (e.g., removing an employee or shift via the application interface) is separate from formal GDPR erasure requests. A formal GDPR request bypasses the recovery window and proceeds directly to anonymization/deletion.
To exercise these rights, please contact us using the information provided below or use the Data Rights Management page.
We use cookies and similar technologies to enhance your experience:
When you sign in with two-factor authentication (2FA), you may opt in to "Remember this device for 30 days". If you check this option, we set a security cookie (mfa_trusted_device) that allows you to skip the 2FA code entry on subsequent sign-ins from the same browser.
You can control cookie preferences through our cookie consent banner or your browser settings.
We implement appropriate technical and organizational measures to protect your data:
All scheduling, absence, and employee data is stored and processed exclusively within the European Union (database and application server hosted in Germany).
The only personal data transferred outside the EU is billing metadata (email address, customer ID, subscription status) processed by Stripe, Inc. (United States) for payment and subscription management. No scheduling, absence, or employee data is shared with Stripe.
This transfer is protected by the following safeguards:
In the event of a data breach that poses a risk to your rights and freedoms, we will:
We may update this privacy policy from time to time. We will notify you of any material changes by:
Your continued use of our services after such changes constitutes acceptance of the updated policy.
We use Rybbit, a privacy-focused, cookieless analytics tool hosted in the EU (Germany), to understand how our website is used and to improve our services. Rybbit does not use cookies, does not collect personal data, and does not track individual users across sessions. Because no cookies are set and no personally identifiable information is processed, analytics operate under our legitimate interest (Art. 6(1)(f) GDPR) without requiring your consent.
We use Google Search Console to monitor indexing and site health. Search Console does not set cookies for visitors and provides aggregated reporting to us as site owners.
If you have any questions about this privacy policy or our data practices, please contact us:
Website Owner and Data Protection Officer
Name: Manuel Istratoaie
Email: support@monkaru.at
Location: Vienna, Austria
You also have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.
If you submit or manage personal data of employees or company representatives in the Service (such as names, email addresses, identifiers, shift preferences, availability, and related HR data), you, as the data controller, confirm that you have obtained all permissions, consents, or other lawful bases required by applicable law, collective agreements, and internal company policies to provide such data to us and to have it processed for the purposes described in this Privacy Policy.
We act as your data processor and rely on your representations regarding authorization and legal basis. You remain solely responsible for compliance as controller, including honoring any local-law or policy restrictions applicable to your organization.